Merge pull request #42426 from michaelgibson/features/issue-42280

adding 2-factor auth capability to ldap eauth module - #42280
2025-04-17 10:10:20 +00:00 · 2017-07-31 15:01:43 -05:00 · 2017-07-31 15:01:43 -05:00 · b5304e73db
commit b5304e73db
parent 184ee37cf7 12100696bf
2 changed files with 29 additions and 5 deletions
--- a/doc/topics/releases/oxygen.rst
+++ b/doc/topics/releases/oxygen.rst
@ -25,6 +25,19 @@ by any master tops matches that are not matched via a top file.
 To make master tops matches execute first, followed by top file matches, set
 the new :conf_minion:`master_tops_first` minion config option to ``True``.

+LDAP via External Authentication Changes
+----------------------------------------
+In this release of Salt, if LDAP Bind Credentials are supplied, then
+these credentials will be used for all LDAP access except the first
+authentication when a job is submitted.  The first authentication will
+use the user's credentials as passed on the CLI.  This behavior is to
+accommodate certain two-factor authentication schemes where the authentication
+token can only be used once.
+
+In previous releases the bind credentials would only be used to determine
+the LDAP user's existence and group membership.  The user's LDAP credentials
+were used from then on.
+
 New GitFS Features
 ------------------

--- a/salt/auth/ldap.py
+++ b/salt/auth/ldap.py
@ -280,8 +280,14 @@ def auth(username, password):
    '''
    Simple LDAP auth
    '''
-    if _bind(username, password, anonymous=_config('auth_by_group_membership_only', mandatory=False) and
-                                           _config('anonymous', mandatory=False)):
+    #If bind credentials are configured, use them instead of user's
+    if _config('binddn', mandatory=False) and _config('bindpw', mandatory=False):
+        bind = _bind_for_search(anonymous=_config('anonymous', mandatory=False))
+    else:
+        bind = _bind(username, password, anonymous=_config('auth_by_group_membership_only', mandatory=False) and
+                                        _config('anonymous', mandatory=False))
+
+    if bind:
        log.debug('LDAP authentication successful')
        return True
    else:
@ -306,8 +312,9 @@ def groups(username, **kwargs):
    '''
    group_list = []

-    bind = _bind(username, kwargs['password'],
-                 anonymous=_config('anonymous', mandatory=False))
+    # Perform un-authenticated bind to determine group membership
+    bind = _bind_for_search(anonymous=_config('anonymous', mandatory=False))
+
    if bind:
        log.debug('ldap bind to determine group membership succeeded!')

@ -381,7 +388,11 @@ def groups(username, **kwargs):
                        group_list.append(group.split(',')[0].split('=')[-1])
            log.debug('User {0} is a member of groups: {1}'.format(username, group_list))

-            if not auth(username, kwargs['password']):
+            # Only test user auth on first call for job.
+            # 'show_jid' only exists on first payload so we can use that for the conditional.
+            if 'show_jid' in kwargs and not _bind(username, kwargs['password'],
+                                            anonymous=_config('auth_by_group_membership_only', mandatory=False) and
+                                            _config('anonymous', mandatory=False)):
                log.error('LDAP username and password do not match')
                return []
    else: